Page MenuHomePhabricator
Authored By
Dylsss
Jan 15 2022, 9:24 PM
Size
4 KB
Referenced Files
None
Subscribers
None

T299289.patch

From 9f9b8adf605a323181d52ae723fe47e5acfabea0 Mon Sep 17 00:00:00 2001
From: dylsss <dylssswp@gmail.com>
Date: Sat, 15 Jan 2022 19:12:27 +0000
Subject: [PATCH] SECURITY: Escape various messages in WikibaseMediaInfo
Escaped various messages using mw.message.escaped() or Html::element instead of Html::rawElement to prevent XSS.
Bug: T299289
Change-Id: If031d8715b946062c2ac840a457af379401adc87
---
resources/filepage/CaptionDataEditor.js | 8 ++++----
resources/filepage/CaptionsPanel.js | 2 +-
resources/statements/inputs/TimeInputWidget.js | 6 +++---
src/WikibaseMediaInfoHooks.php | 4 ++--
4 files changed, 10 insertions(+), 10 deletions(-)
diff --git a/resources/filepage/CaptionDataEditor.js b/resources/filepage/CaptionDataEditor.js
index 6742ed71..95c2855e 100644
--- a/resources/filepage/CaptionDataEditor.js
+++ b/resources/filepage/CaptionDataEditor.js
@@ -76,15 +76,15 @@ CaptionDataEditor = function ( guid, captionData, config ) {
self.setInputWarning( '' );
if ( self.minCaptionLength !== undefined && self.minCaptionLength - length > 0 ) {
- self.setInputError( mw.msg(
+ self.setInputError( mw.message(
'wikibasemediainfo-filepage-caption-too-short',
self.minCaptionLength - length
- ) );
+ ).escaped() );
} else if ( self.maxCaptionLength !== undefined && length - self.maxCaptionLength > 0 ) {
- self.setInputError( mw.msg(
+ self.setInputError( mw.message(
'wikibasemediainfo-filepage-caption-too-long',
length - self.maxCaptionLength
- ) );
+ ).escaped() );
}
} )
.always( function () {
diff --git a/resources/filepage/CaptionsPanel.js b/resources/filepage/CaptionsPanel.js
index 5caaa08f..2aa9b58f 100644
--- a/resources/filepage/CaptionsPanel.js
+++ b/resources/filepage/CaptionsPanel.js
@@ -343,7 +343,7 @@ CaptionsPanel.prototype.getTemplateDataReadOnly = function () {
language = captionData.languageText;
caption = captionData.text ?
mw.html.escape( captionData.text ) :
- mw.msg( 'wikibasemediainfo-filepage-caption-empty' );
+ mw.message( 'wikibasemediainfo-filepage-caption-empty' ).escaped();
templateCaptions.push( {
show: self.state.displayAllLanguages ? true : showCaptionFlags[ langCode ],
diff --git a/resources/statements/inputs/TimeInputWidget.js b/resources/statements/inputs/TimeInputWidget.js
index bf55c3bb..e003b883 100644
--- a/resources/statements/inputs/TimeInputWidget.js
+++ b/resources/statements/inputs/TimeInputWidget.js
@@ -111,8 +111,8 @@ TimeInputWidget.prototype.getTemplateData = function () {
isQualifier: this.state.isQualifier,
isActive: this.state.isActive,
formatted: this.state.value === '' ?
- mw.msg( 'wikibasemediainfo-time-timestamp-empty' ) :
- mw.msg( 'wikibasemediainfo-time-timestamp-invalid' ),
+ mw.message( 'wikibasemediainfo-time-timestamp-empty' ).escaped() :
+ mw.message( 'wikibasemediainfo-time-timestamp-invalid' ).escaped(),
input: this.input,
precisionLabel: mw.msg( 'wikibasemediainfo-time-precision-label' ),
calendarLabel: mw.msg( 'wikibasemediainfo-time-calendar-label' ),
@@ -129,7 +129,7 @@ TimeInputWidget.prototype.getTemplateData = function () {
var $formatted = $( '<span>' ).addClass( 'wbmi-input-widget--formatted' ).text( formatted );
return $.extend( {}, data, {
- formatted: mw.msg( 'wikibasemediainfo-time-timestamp-formatted', $formatted.get( 0 ).outerHTML )
+ formatted: mw.message( 'wikibasemediainfo-time-timestamp-formatted', $formatted.get( 0 ).outerHTML ).escaped()
} );
} );
};
diff --git a/src/WikibaseMediaInfoHooks.php b/src/WikibaseMediaInfoHooks.php
index e7932ac5..400fa009 100644
--- a/src/WikibaseMediaInfoHooks.php
+++ b/src/WikibaseMediaInfoHooks.php
@@ -402,7 +402,7 @@ class WikibaseMediaInfoHooks {
}
// Add a title to statements for no-js
- $statements = \Html::rawElement(
+ $statements = \Html::element(
'h2',
[ 'class' => 'wbmi-structured-data-header' ],
$textProvider->get( 'wikibasemediainfo-filepage-structured-data-heading' )
@@ -427,7 +427,7 @@ class WikibaseMediaInfoHooks {
$extractedHtml['unstructured']
);
// Add a title for no-js
- $tab1Html = \Html::rawElement(
+ $tab1Html = \Html::element(
'h2',
[ 'class' => 'wbmi-captions-header' ],
$textProvider->get( 'wikibasemediainfo-filepage-captions-title' )
--
2.33.0.windows.2

File Metadata

Mime Type
text/x-diff
Storage Engine
blob
Storage Format
Raw Data
Storage Handle
9326031
Default Alt Text
T299289.patch (4 KB)

Event Timeline